1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 * 25 * Copyright 2023 OmniOS Community Edition (OmniOSce) Association. 26 */ 27 28 #include <libtsnet.h> 29 #include <stdlib.h> 30 #include <string.h> 31 #include <syslog.h> 32 #include <zone.h> 33 34 #include <security/pam_appl.h> 35 #include <security/pam_modules.h> 36 #include <security/pam_impl.h> 37 38 #include <tsol/label.h> 39 40 /* 41 * pam_tsol_account - Trusted Extensions account management. 42 * Validates that the user's label range contains 43 * the process label (label of the zone). 44 */ 45 46 static void 47 free_labels(m_range_t *r, m_label_t *l) 48 { 49 m_label_free(r->lower_bound); 50 m_label_free(r->upper_bound); 51 free(r); 52 m_label_free(l); 53 } 54 55 int 56 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) 57 { 58 int i; 59 int debug = 0; 60 int allow_unlabeled = 0; 61 const char *user; 62 char *rhost; 63 m_range_t *range; 64 m_label_t *plabel; 65 66 for (i = 0; i < argc; i++) { 67 if (strcmp(argv[i], "debug") == 0) { 68 debug = 1; 69 } else if (strcmp(argv[i], "allow_unlabeled") == 0) { 70 allow_unlabeled = 1; 71 } else { 72 __pam_log(LOG_AUTH | LOG_ERR, 73 "pam_tsol_account: illegal option %s", argv[i]); 74 } 75 } 76 77 /* Trusted Extensions not enabled */ 78 79 if (!is_system_labeled()) 80 return (PAM_IGNORE); 81 82 (void) pam_get_item(pamh, PAM_USER, (const void **)&user); 83 84 (void) pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); 85 86 if (debug) { 87 __pam_log(LOG_AUTH | LOG_DEBUG, 88 "pam_tsol_account: allowed_unlabeled = %d, user %s, " 89 "rhost %s", 90 allow_unlabeled, 91 (user == NULL) ? "NULL" : (*user == '\0') ? "ZERO" : 92 user, 93 (rhost == NULL) ? "NULL" : (*rhost == '\0') ? "ZERO" : 94 rhost); 95 } 96 if (user == NULL || *user == '\0') { 97 __pam_log(LOG_AUTH | LOG_ERR, 98 "pam_tsol_account: no user"); 99 return (PAM_USER_UNKNOWN); 100 } 101 102 if ((range = getuserrange(user)) == NULL) { 103 __pam_log(LOG_AUTH | LOG_ERR, 104 "pam_tsol_account: getuserrange(%s) failure", user); 105 return (PAM_SYSTEM_ERR); 106 } 107 if ((plabel = m_label_alloc(MAC_LABEL)) == NULL) { 108 __pam_log(LOG_AUTH | LOG_ERR, 109 "pam_tsol_account: out of memory"); 110 free_labels(range, NULL); 111 return (PAM_BUF_ERR); 112 } 113 if (getplabel(plabel) < 0) { 114 __pam_log(LOG_AUTH | LOG_CRIT, 115 "pam_tsol_account: Unable to get process label %m"); 116 free_labels(range, plabel); 117 return (PAM_SYSTEM_ERR); 118 } 119 if (!blinrange(plabel, range)) { 120 free_labels(range, plabel); 121 return (PAM_PERM_DENIED); 122 } 123 124 free_labels(range, plabel); 125 126 /* Remote Host Type Policy Check */ 127 128 if ((allow_unlabeled == 0) && 129 (getzoneid() == GLOBAL_ZONEID) && 130 (rhost != NULL && *rhost != '\0')) { 131 tsol_host_type_t host_type; 132 133 host_type = tsol_getrhtype(rhost); 134 switch (host_type) { 135 case SUN_CIPSO: 136 break; 137 138 case UNLABELED: 139 default: 140 return (PAM_PERM_DENIED); 141 } 142 } 143 return (PAM_SUCCESS); 144 } 145